I have not used Winroute but I have seen Napster bypass a Checkpoint FW-1 by going out on port 80. The only real way to stop napster traffic is to search for all the servers they own and block the address block using ACLs on the router. This will make it much more difficult although proxy services may still work. In which case you can setup a machine running some sniffing program, I prefer Sniffer Pro from Network associates and set alarms and triggers to capture all traffic when utilization reaches a certain threshold. It wont take long to find the remaining addresses needed to block. The only problem is if you are using Hide NAT or PAT you will not know which internal client has made the connection. Dynamic One to One NAT will work very nicely if you maintain logs to track who the actual offenders. I usually use Windows 2000 NAT which provides a Mappings table, which in conjunction with the sniffer could help to pinpoint the offenders. At that point turn it over to HR and let them add a warning to the users file. It also is a must to have an Acceptable Use Policy which prohibits these activities explicitly, so it may be dealt with through HR instead of technologically. Basically the company has to stand behind IT and enforce the policy and you must provide HR with the logs to backup these AUPs. HTH Ken Claussen MCSE CCNA CCA [EMAIL PROTECTED] "The Mind is a Terrible thing to Waste!" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of elvene Sent: Thursday, November 30, 2000 5:49 PM To: [EMAIL PROTECTED] Subject: Napster Proxies -vs- NAT & PORT blocking - Am I Secure?? I recognize that it may be nearly impossible to prevent Napster music file downloads through port and IP blocking (even stateful), given the plethora of (bewildering to me) Socks/HTTPS proxy widget solutions now available to the dedicated Napsterer to circumvent download restrictions. I am not unconcerned, but am far less concerned about my users downloading files on their lunch hour, than I am concerned over the fact that my users may end up sharing files I would not want shared, whether intentionally or accidentally, via software tools installed to support these file clearinghouse systems. In fact, my real fear is that the more forcefully I close off Napster, the more creative the solutions used to circumvent the blocks will become, and the more likelihood that someone will open a hole I don't even realize is possible nor they even know they made. It's seems like an arms race, and I'm fear I am still at the point of ooh and aah-ing over my new bow and arrow, while they are at the AK47 stage. I am using WinRoute 4.1 on an NT platform, forcing all HTTP access via Proxy, and (will be) blocking all ports that are unused to outbound traffic on the NAT as soon as I finish the final stages of determining what each is. Unfortunately, I may be forced to open 20 and 21 outbound to all sites, because of FTP downloads we need to perform, that don't seem to proxy correctly. My intention is for all IP traffic to be blocked by default, and enabled only for the specific applications, and targeted to the appropriate specific Host/Port/Protocol ranges. What I was wondering was is if any of you are aware of the existence of a circumvention solution that will allow my users to service requests for file downloads, across my Winroute NAT (stateful inspection with most ports blocked outbound) and web browsing only via my proxy server here (but not limited to specific sites), by utilizing the more creative tools available to them? Or asked another way, does anyone percieve a hole there that I don't see? Any input will be greatly appreciated. Guy Skaggs Director of Technology Martingale Asset Management - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
